I could see this being useful to create a keystore management UI for picketlink IdP's and SP's, possibly providing a path to self-service in some SP use cases? -mike On 06/18/2014 02:28 PM, Pedro Igor Silva wrote:

Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Wednesday, June 18, 2014 3:32:30 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

Consider this one, please. ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Friday, June 27, 2014 6:07:46 PM Subject: Re: [security-dev] PicketLink and Certificate Management API After some initial work, I think we have an initial design. Still have some things to think about, specially regarding the configuration and storage. Basically, what we have so far are two main components: KeyAuthority and CertificateAuthority. The first one is about managing keys (eg.: RSA keys) for partition and identity types. The second one is about managing certificates using the keys for a particular type. The first thing you should do is create a keypair for a specific type as follows: @Inject private KeyAuthority keyAuthority; public void createUser() { User user = // create user this.keyAuthority.generateKeys(user); } PicketLink will generate some random keys by default. We're trying to find the best way to support keystores or let users provide them manually. One you have the keys you can issue certificates like that @Inject private CertificateAuthority certificateAuthority; public void issueCertificate(User user) { Certificate certificate = this.certificateAuthority.issue(user); // do something } There is also some other methods like: Certificate certificate = this.certificateAuthority.retrieve("CN=john,O=JBoss"); this.certificateAuthority.validate(certificate); this.certificateAuthority.revoke(certificate); this.certificateAuthority.isRevoked(certificate); For keys, you can use the KeyAuthority to: KeyPair keyPair = this.keyAuthority.generateKeys(user); KeyPair keyPair = this.keyAuthority.getKeyPair(user); If you want, you can use only key management. Useful if you just need to sign and encrypt things only. ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Wednesday, June 18, 2014 3:35:09 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Wednesday, June 18, 2014 3:32:30 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "security-dev >> \"security-dev" <security-dev(a)lists.jboss.org&gt; Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

The motivation behind partition performing CA tasks is that partitions are in essence security domains or realms. We are already working in an independent code base for cert and key mgmt. ----- Original Message ----- From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com&gt; To: security-dev(a)lists.jboss.org Sent: Thursday, July 3, 2014 1:41:26 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Pedro, if the partition can perform the tasks of a CA, that is fine. But we need a separate independent code base to do the Certificate Management. We may have a circular dependency here because the Cert Mgmt stuff may want to use PL IDM to interact with the data stores - file, ldap,DB. :) Regards, Anil On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

CA is an independent set of libraries. Projects will be able to use them separately. If the certificates have to be stored in a data store such as db,ldap then it is better to use the PL IDM as an implementation detail.